The core committee has decided that one of the security issues due to be fixed next week is sufficiently bad that we need to take extra measures to prevent it from becoming public before packages containing the fix are available. (This is a scenario we've discussed before, but never had to actually implement.)

1) if an origin is first-party, it has ordinary cookie permissions
2) if an origin is third-party
a) if the origin already has cookies, it has ordinary cookie permissions
b) otherwise, the origin gets no cookie permissions